What Makes A B2B Mailing List GDPR Compliant?

Now that we are all getting used to GDPR, you have probably seen mailing lists advertised with the reassuring words “GDPR Compliant Data”. But what does it mean for b2b mailing list data to be GDPR compliant?

  1. The mailing list has to be current and up-to-date. The new General Data Protection Regulation does not define ‘current’. Electric Marketing is taking the view that our mailing lists, verified by telephone two or three times a year, qualify as being current.
  2. If the mailing list contains personal information, and names and company email addresses which contain a person’s name do count as personal information, every person on the list must be informed that they are on the mailing list and be informed of the extent of the information held by the data owner. This is not the same as consent, but a mailing list owner should contact the data subject and give them the opportunity to opt out. Unlike consumer marketing where consent is required, business-to-business marketing remains an opt-out regime.
  3. Data must have been collected lawfully ie data must not be stolen and must have been collected for the purpose it is being used for eg data subjects should not be told that their email address will be used for research purposes only to be sent sales and marketing emails.
  4. It may seem obvious but the mailing list company itself must comply with the GDPR and must be registered with the ICO (every registered company has an ID issued by the ICO). GDPR compliance for marketing data companies insists that data must be stored in a secure environment.  Staff must be trained in the obligations GDPR places upon the company. The mailing list company must have a Data Protection Policy (internal company document), a Privacy Policy and a Legitimate Interests Assessment in place. If you cannot see the privacy policy and the Legitimate Interests Statement on the mailing list company’s website, you can ask to see them.

So now you know what to expect of a reputable mailing list supplier. My next blog covers the steps that you, the user of bought-in b2b email lists, must take when running a GDPR compliant email marketing campaign.

How To End Your Business Marketing eMail in the Post-GDPR age

Have You Invested In an eMailing List which is GDPR Compliant?

Have you remembered to change your email sign offs and to put links to your privacy policy and legitimate interests assesment in your marketing emails?

After the deluge of permissioning emails around GDPR, many people are acutely aware of which emails they have signed up to receive and which requests for permission they denied or ignored.

This means that slack marketers can no longer rely on the short memory of a target by writing something like this:

“You are receiving this email as you have subscribed in the past to receive information about our events. If you wish to update your email preferences or unsubscribe, please click the link below”.

Yes this statement is doing the right thing by offering an unsubscribe but post-GDPR this sort of email sign off is increasingly being called out by targets.

A little white lie claiming that the prospect is receiving emails because they have ‘previously signed up’ or ‘enquired in the past’ when the marketer bought in an email list and the company has no previous relationship with the data subject does not enhance your campaign. In the post-GDPR age, very few people are falling for this anymore.

Transparency is one of the key principles of GDPR.  We suggest that you follow the ICO recommendations of adopting a ‘layered approach’ to giving data subjects information about privacy and legitimate interests. Somewhere on your marketing email, you should state the reason for contacting the company under the terms of legitimate interests and you should provide a link to your privacy policy, which in turn has a link to your legitimate interests assessment.

I have seen this at the bottom of a few emails this month:

“This email was sent to you as a corporate subscriber within the meaning of the Privacy and Electronic Communications Regulations 2003. Your personal data are protected under the General Data Protection Regulation and Data Protection Act 2018. If you would like to know how and why you have received this message, please visit our information page.”

(Unfortunately the information page link clicks through to something that is blocked by my office spamblock, but I’d like to think it is a link to a Privacy Policy and a Legitimate Interests Assessment.)

Electric Marketing is signing off its emails with this:

“As a GDPR compliant company, we would like to explain why you have received this email. We believe that you have a need for business marketing data within your business. We have identified your email address as being an appropriate point of contact within your organisation. This represents legitimate interest in line with the ICO’s guidance. Our Privacy Notice is available here

Like the new regulation, our statement is a bit clunky but as we all get used to what GDPR means for business-to-business marketing, this will no doubt become shorter and snappier over time.